pgjdbc数据库的ssl证书验证源码有几点不懂的地方

postgresql 数据库用证书验证,看了一下源码,但是ssl证书验证有几点不懂的地方.
下面是pgjdbc获取完数据库的连接后, 开始启用ssl证书验证的流程.
我的问题: 过程我都看明白了, 但是不知道为什么它要这么做, 还是说这是个标准, 有人可以帮我讲解一下,或者给点资料参考也行, 谢谢
为了保持代码的简洁性,代码有删减.

 private PGStream enableSSL(PGStream pgStream, SslMode sslMode, Properties info,
      int connectTimeout)
      throws IOException, PSQLException {
    // 发送SSL请求包
    pgStream.sendInteger4(8);//发送一个4字节的整数到后端。
    pgStream.sendInteger2(1234);//发送一个2字节整数(短)到后端。
    pgStream.sendInteger2(5679);
    pgStream.flush();//将任何挂起的输出刷新到后端。
    // Now get the response from the backend, one of N, E, S. 现在从后端(N, E, S)中获取响应。
    int beresp = pgStream.receiveChar();//从后端接收单个字符。
    switch (beresp) {
      case 'S':
        //  ssl 服务器支持ssl
   **org.herodbsql.ssl.MakeSSL.convert(pgStream, info);**
        return pgStream;
    }
  }

上面可以看到,jdbc给数据库发了几个字节的整数, 然后获取响应,走不同的switch,但是不知道为什么这么做,接着进去看,convert方法

public static void convert(PGStream stream, Properties info)
      throws PSQLException, IOException {
    LOGGER.log(Level.FINE, "converting regular socket connection to ssl");

  **SSLSocketFactory factory = SocketFactoryFactory.getSslSocketFactory(info);**
    SSLSocket newConnection;
        // 将常规套接字连接转换为ssl
      newConnection = (SSLSocket) factory.createSocket(stream.getSocket(), stream.getHostSpec().getHost(), stream.getHostSpec().getPort(), true);
      // 我们必须手动调用,否则将隐藏异常
      newConnection.setUseClientMode(true);// 设置使用客户端模式
      newConnection.startHandshake();// 开始握手
      stream.changeSocket(newConnection);
  }

在看SocketFactoryFactory.getSslSocketFactory(info);

public static SSLSocketFactory getSslSocketFactory(Properties info) throws PSQLException {//获取Ssl套接字工厂
    String classname = PGProperty.SSL_FACTORY.get(info);// 获取要使用的SSL工厂的类名
    if (classname == null
        || "org.herodbsql.ssl.jdbc4.LibPQFactory".equals(classname)
        || "org.herodbsql.ssl.LibPQFactory".equals(classname)) {
      return new LibPQFactory(info);
    }
  }

接着看 new LibPQFactory(info);
这个方法应该就是加载证书的地方

 public LibPQFactory(Properties info) throws PSQLException {
    try {
      SSLContext ctx = SSLContext.getInstance("TLS"); // or "SSL" ?

      // 确定默认文件位置
      String pathsep = System.getProperty("file.separator");// 获取windows或者linux的文件夹分隔符
      String defaultdir;
      boolean defaultfile = false;
      if (System.getProperty("os.name").toLowerCase().contains("windows")) { // It is Windows
        defaultdir = System.getenv("APPDATA") + pathsep + "herodbsql" + pathsep; // 获取指定环境变量的值。环境变量是一个依赖于系统的外部命名值。
      } else {
        defaultdir = System.getProperty("user.home") + pathsep + ".herodbsql" + pathsep;
      }

      // Load the client's certificate and key 加载客户机的证书和密钥
      String sslcertfile = PGProperty.SSL_CERT.get(info);
      if (sslcertfile == null) { // Fall back to default 退回到默认状态
        defaultfile = true;
        sslcertfile = defaultdir + "herodbsql.crt";
      }
      String sslkeyfile = PGProperty.SSL_KEY.get(info);
      if (sslkeyfile == null) { // Fall back to default
        defaultfile = true;
        sslkeyfile = defaultdir + "herodbsql.pk8";
      }

      // Determine the callback handler 确定回调处理程序
      CallbackHandler cbh;
      String sslpasswordcallback = PGProperty.SSL_PASSWORD_CALLBACK.get(info);
      if (sslpasswordcallback != null) {
        try {
          cbh = (CallbackHandler) ObjectFactory.instantiate(sslpasswordcallback, info, false, null);
        } catch (Exception e) {
          throw new PSQLException(
              GT.tr("The password callback class provided {0} could not be instantiated.",
                  sslpasswordcallback),
              PSQLState.CONNECTION_FAILURE, e);
        }
      } else {
        cbh = new ConsoleCallbackHandler(PGProperty.SSL_PASSWORD.get(info));// 获取 sslkey的加密密码
      }

      // If the properties are empty, give null to prevent client key selection 如果属性为空,则为null,以防止选择客户机密钥
      km = new LazyKeyManager(("".equals(sslcertfile) ? null : sslcertfile),
          ("".equals(sslkeyfile) ? null : sslkeyfile), cbh, defaultfile);//创建lazykeymanagerduixinag

      TrustManager[] tm;
      SslMode sslMode = SslMode.of(info);
      if (!sslMode.verifyCertificate()) {
        // server validation is not required 不需要服务器验证
        tm = new TrustManager[]{new NonValidatingTM()};
      } else {
        // Load the server certificate 加载服务器证书

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");// 创建证书信任管理器工厂
        KeyStore ks;
        try {
          ks = KeyStore.getInstance("jks");// 读取秘钥是所需要用到的工具类
        } catch (KeyStoreException e) {
          // this should never happen
          throw new NoSuchAlgorithmException("jks KeyStore not available");
        }
        String sslrootcertfile = PGProperty.SSL_ROOT_CERT.get(info);//获取根证书
        if (sslrootcertfile == null) { // Fall back to default
          sslrootcertfile = defaultdir + "root.crt";
        }
        FileInputStream fis;
        try {
          fis = new FileInputStream(sslrootcertfile); // 获取根证书ca的文件流
        } catch (FileNotFoundException ex) {
          throw new PSQLException(
              GT.tr("Could not open SSL root certificate file {0}.", sslrootcertfile),
              PSQLState.CONNECTION_FAILURE, ex);
        }
        try {
          CertificateFactory cf = CertificateFactory.getInstance("X.509");// // 获取X.509工厂实例
          // Certificate[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{}); //Does
          // not work in java 1.4
          Object[] certs = cf.generateCertificates(fis).toArray(new Certificate[]{});//生成ca证书的数组视图
          ks.load(null, null);
          for (int i = 0; i < certs.length; i++) {
            ks.setCertificateEntry("cert" + i, (Certificate) certs[i]);//设置证书条目 将给定的可信证书分配给给定的别名。
          }
          tmf.init(ks);
        } catch (IOException ioex) {
          throw new PSQLException(
              GT.tr("Could not read SSL root certificate file {0}.", sslrootcertfile),
              PSQLState.CONNECTION_FAILURE, ioex);
        } catch (GeneralSecurityException gsex) {
          throw new PSQLException(
              GT.tr("Loading the SSL root certificate {0} into a TrustManager failed.",
                      sslrootcertfile),
              PSQLState.CONNECTION_FAILURE, gsex);
        } finally {
          try {
            fis.close();
          } catch (IOException e) {
            /* ignore */
          }
        }
        tm = tmf.getTrustManagers();
      }

      // finally we can initialize the context 最后,我们可以初始化上下文
      try {
        ctx.init(new KeyManager[]{km}, tm, null);
      } catch (KeyManagementException ex) {
        throw new PSQLException(GT.tr("Could not initialize SSL context."),
            PSQLState.CONNECTION_FAILURE, ex);
      }

      factory = ctx.getSocketFactory();
    } catch (NoSuchAlgorithmException ex) {
      throw new PSQLException(GT.tr("Could not find a java cryptographic algorithm: {0}.",
              ex.getMessage()), PSQLState.CONNECTION_FAILURE, ex);
    }
  }

1个回答

qq_41475316
__BlueCat 感谢你的回答, 但是我并没有从你的链接中得到解惑
11 个月之前 回复
Csdn user default icon
上传中...
上传图片
插入图片
抄袭、复制答案,以达到刷声望分或其他目的的行为,在CSDN问答是严格禁止的,一经发现立刻封号。是时候展现真正的技术了!
立即提问
相关内容推荐